b'                                                     SENSITIVE BUT UNCLASSIFIED\n\n\n                                              United States Department of State\n                                           and the Broadcasting Board of Governors\n                                                  Office of Inspector General\n\n\n\n\n                                                       Office of Audits\nOffice of Inspector General\n\n\n                              Audit of Department of State Access Controls\n                                         for Major Applications\n\n                                         Report Number AUD-IT-12-44, September 2012\n\n\n\n\n                                                               Important Notice\n\n                              This report is intended solely for the official use of the Department of State of the\n                              Broadcasting Board of Governors, or any agency or organization receiving a copy\n                              directly from the Office of Inspector General. No secondary distribution may be\n                              made, in whole or in part, outside the Department of State or the Broadcasting Board\n                              of Governors, by them or by other agencies of organizations, without prior\n                              authorization by the Inspector General. Public availability of the document will be\n                              determined by the Inspector General under the U.S. Code, 5 U.S.C. \xc2\xa7 552. Improper\n                              disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n                                                    SENSITIVE BUT UNCLASSIFIED\n\x0c                                                           United States Department of State\n                                                           and the Broadcasting Board of Governors\n\n                                                           Office of Inspector General\n\n\n\n\n                                        PREFACE\n\n\n     This report was prepared by the Office of Inspector General (OIG) pursuant to the Inspector\nGeneral Act of 1978, as amended, and Section 209 of the Foreign Service Act of 1980, as\namended. It is one of a series of audit, inspection, investigative, and special reports prepared by\nOIG periodically as part of its responsibility to promote effective management, accountability\nand positive change in the Department of State and the Broadcasting Board of Governors.\n\n     This report is the result of an assessment of the strengths and weaknesses of the ofnce, post,\nor function under review. It is based on interviews with employees and officials of relevant\nagencies and institutions, direct observation, and a review of applicable documents.\n\n      The recommendations therein have been developed on the basis of the best knowledge\navailable to the OIG and, as appropriate, have been discussed in draft with those responsible for\nimplementation. It is my hope that these recommendations will result in more effective,\nefficient, and/or economical operations.\n\n     I express my appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                            Harold W. Geisel\n                                            Deputy Inspector General\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\nAcronyms\nAIS        automated information system\nCA         Bureau of Consular Affairs\nDS         Bureau of Diplomatic Security\nFAM        Foreign Affairs Manual\nIRM        Bureau of Information Resource Management\nISSO       Information Systems Security Officer\nIT         information technology\nITAB       Information Technology Asset Baseline\nNCD        Net-Centric Diplomacy\nOIG        Office of Inspector General\nSMART-C    Classified State Messaging and Archive Retrieval Toolset\n\n\n\n\n                         SENSITIVE BUT UNCLASSIFIED\n\x0c                                           SENSITIVE BUT UNCLASSIFIED\n\n\n                                                   (U) Table of Contents\n(U) Section                                                                                                                      (U) Page\n\n(U) Executive Summary ..................................................................................................................1\n\n(U) Background\xe2\x80\xa6. ..........................................................................................................................3\n\n(U) Objective\xe2\x80\xa6\xe2\x80\xa6. ..........................................................................................................................5\n\n(U) Audit Results ............................................................................................................................5\n      (SBU) Finding A. Protection of Sensitive Cables Remains a Challenge ...........................6\n      (b) (5)                                                                                                                               10\n      (SBU) Finding C. Account Management Procedures Need Strengthening ......................11\n      (SBU) Finding D. System Administrator Activities Are Not Monitored Effectively ......15\n      (SBU) Finding E. Patch Management Program for Databases Is Not Effective .............16\n\n(U) List of Recommendations ........................................................................................................20\n\n(U) Appendices\n      A. (U) Scope and Methodology ........................................................................................22\n      B. (U) Office of Inspector General Reports Related to Audit ..........................................31\n      C. (SBU) Proposed Net-Centric Diplomacy Security Enhancements ..............................33\n      D. (SBU) Bureau of Information Resource Management Response ................................34\n      E. (SBU) Bureau of Diplomatic Security Response .........................................................40\n      F. (SBU) Bureau of Consular Affairs Response ...............................................................43\n      G. (U) Bureau of Human Resource Response ..................................................................44\n\n(U) Major Contributors to This Report ..........................................................................................46\n\n\n\n\n                                           SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n\n                                       (U) Executive Summary\n        (U) Access controls consist of physical and logical controls that are intended to provide\nreasonable assurance that system resources such as hardware, data files, application programs,\nand underlying operating systems are protected against unauthorized access, operation,\nmodification, disclosure, loss, or impairment. Physical access controls ensure that system assets\nare physically protected from unauthorized access, and logical access controls provide assurance\nthat only authorized users may access system data and programs. Access controls on the major\napplications and databases that store sensitive information within the Department of State\n(Department) must be suitably robust to prevent unauthorized access.\n\n       (U) The objective of this audit was to determine the effectiveness of logical access\ncontrols pertaining to selected major applications used by the Department. Specifically, the audit\nwas to determine whether logical access controls were in place and were operating effectively.\n\n        (SBU) The Office of Inspector General (OIG) found that the Department had made\noverall progress toward implementing effective logical access controls for major applications.\nHowever, during the audit, OIG found five weaknesses pertaining to logical access controls in\nthe applications and related databases reviewed both domestically and at the three embassies\nvisited: Embassy Buenos Aires, Argentina; Embassy Madrid, Spain; and Embassy Accra, Ghana.\nThese five weaknesses are described as follows:\n\n    \xef\x82\xb7   (SBU) Protection of Sensitive Department Cables\n\n    (SBU) Two years after the unauthorized release of sensitive cables to the public through the\n                             (\n    Wikileaks organization,b (b) (5)                                                      cable-\n    related applications such) as Net-Centric Diplomacy (NCD) and Classified State Messaging\n    and Archive Retrieval T(o olset (SMART-C). Progress in addressing the NCD weaknesses\n    that made the Wikileaks5incident possible has been very slow.\n                               )\n    \xef\x82\xb7   (U) Vulnerability Scanning\n\n    (SBU) No formal vulnerability scanning process existed for databases as part of the risk\n    management strategy, even though important operations such as consular affairs and\n    financial management routinely rely on databases to support operations. Further, the Bureau\n    of Diplomatic Security (DS) had not procured database scanning software necessary to\n    accomplish this task. Lack of a database vulnerability scanning process weakens the\n    Department\xe2\x80\x99s ability to proactively identify and remediate database security configuration\n    weaknesses before they are exploited.\n\n\n\n\n1\n (U) The alleged copying and release of thousands of Department cables to the public was accomplished by the\nWikileaks organization.\n\n                                                1\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n   \xef\x82\xb7   (U) Account Management\n\n       (SBU) OIG identified account management deficiencies. Specifically, requirements in\n   the Foreign Affairs Manual (FAM) (b) (5)\n                                                                                        were\n   not always being followed. Moreover, system administrators did not perform periodic\n   account revalidation, which was contrary to FAM requirements as well as deleterious to\n   system security.\n\n   \xef\x82\xb7   (U) Oversight of System Administrator Activities\n\n       (SBU) OIG found that audit logs for all of the applications audited were not reviewed\n   periodically. OIG learned that because of limited staff, there was an operational need to\n   provide all system administrators with the same permissions to enable other system\n   administrators to perform the tasks necessary to continue operations when other system\n   administrators are not available. (b) (5)\n\n\n\n\n   \xef\x82\xb7   (U) Patch Management\n\n       (SBU) OIG found that database administrators were not following the Department\xe2\x80\x99s\n   patch management policies for its databases. (b) (5)\n\n                                                              Patch management is an important\n   factor in mitigating database vulnerability risks, and up-to-date patch installation can help\n   allay these risks.\n\n       (SBU) Weaknesses in logical access controls render sensitive information in Department\napplications and databases vulnerable to compromise, jeopardizing the confidentiality, integrity,\nand availability of the stored and processed information.\n\n        (U) OIG made 10 recommendations associated with the five finding areas to enhance the\nsecurity posture of the Department\xe2\x80\x99s major applications. The most significant of these\nrecommendations are as follows:\n\n   \xef\x82\xb7   (SBU)\xc2\xa0Identify and obtain personnel who have the expertise to develop the needed\n       security enhancements to the NCD application.\n   \xef\x82\xb7   (SBU)\xc2\xa0Develop a comprehensive strategy for periodic database vulnerability scanning to\n       ensure that database vulnerabilities are identified and remediated.\xc2\xa0\n   \xef\x82\xb7   (SBU)\xc2\xa0Develop a patch management strategy to ensure that database security patches are\n       applied in a timely manner.\xc2\xa0\n   \xef\x82\xb7   (SBU)\xc2\xa0Identify and provide appropriate training for post SMART-C administrators to\n       ensure clarity of the SMART-C access controls features.\xc2\xa0\n\n                                          2\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n   \xef\x82\xb7   (SBU)\xc2\xa0Periodically review and remove (b) (5)\n              to prevent potential malicious use (b) (5)\n   \xef\x82\xb7   (SBU)\xc2\xa0 Perform periodic reviews of audit logs to proactively detect and investigate\n       potential security incidents.\n\n      (U) In August 2012, OIG provided a draft of this report to the Bureaus of Information\nResource Management (IRM), Diplomatic Security (DS), Consular Affairs (CA), and Human\nResources (HR). OIG made 10 recommendations.\n\n   \xef\x82\xb7   (U) Recommendations 1, 2, 3, 4, 7, 9, and 10 were addressed to IRM. IRM concurred\n       with Recommendations 1, 2, 4, 7, 9, and 10 but did not concur with Recommendation 3.\n       (IRM\xe2\x80\x99s response is in Appendix D.)\n   \xef\x82\xb7   (U) Recommendation 5 was addressed to DS, which concurred with the recommendation.\n       (DS\xe2\x80\x99s response is in Appendix E.)\n   \xef\x82\xb7    (U) Recommendation 8 was addressed to CA, which concurred with the\n       recommendation. (CA\xe2\x80\x99s response is in Appendix F.)\n   \xef\x82\xb7   (U) Recommendation 6 was addressed to HR. HR did not state concurrence or\n       nonconcurrence with the recommendation but indicated that a process was in place to\n       address the recommendation and requested that the recommendation \xe2\x80\x9cbe removed or\n       closed.\xe2\x80\x9d However, OIG determined through its fieldwork, that the process described in\n       the response was not working as intended. (HR\xe2\x80\x99s response is in Appendix G.) \xc2\xa0\n        (U) Based on the responses to the 10 recommendations, OIG considers eight\nrecommendations (Nos. 1, 2, 4, 5, 7, 8, 9, and 10) resolved, pending further action, and two\nrecommendations (Nos. 3 and 6) unresolved. IRM and HR, respectively, need to implement\ncontrol procedures to address the weaknesses identified in Recommendations 3 and 6.\n\n       (U) For Recommendation 3, IRM did not present sufficient justification to address the\nnecessary oversight of the system administrators to protect sensitive Department information.\nOIG believes that the seriousness of this weakness requires management to oversee the system\nadministrators and hold them accountable for their actions.\n\n       (U) Actions stated in HR\xe2\x80\x99s response to Recommendation 6 were not supported by what\nOIG found in its recent fieldwork. That is, the system administrators have not been receiving the\nmonthly Separation Reports. However, based on the January 2012 changes stated in HR\xe2\x80\x99s\nresponse, this situation may be improving.\n\n        (U) The bureaus\xe2\x80\x99 responses to each recommendation and OIG\xe2\x80\x99s replies to these responses\nare presented after each recommendation.\n\n                                      (U) Background\n       (U) Effective logical access controls are critical for any organization that depends on\ninformation technology (IT) and even more important for Federal Government agencies, such as\nthe Department, where maintaining the public\xe2\x80\x99s confidence both locally and internationally is\n\n                                          3\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\nessential. The widespread use of the Internet has changed how agencies conduct business.\nAlthough use of the Internet has brought about many benefits for agencies to help them meet\ntheir mission objectives, it also exposes Federal networks and applications to potentials threats.\n\n        (U) Without effective logical access controls, information systems are vulnerable to\nattack by individuals and groups who may have malicious intent to intrude and use their\nunauthorized access to compromise the confidentiality, integrity, and availability of these\nsystems. Over the past several years, Federal agencies have reported an increasing number of\nsecurity incidents, including the Wikileaks incident that resulted in the unauthorized release of\nsensitive cables to the public.\n\n        (U) OMB Circular A-130, Appendix III,2 further establishes a minimum set of controls to\nbe included in Federal automated information security programs. These controls include logical\naccess controls such as separation of duties enforced by limitations on the processing privileges\nof individuals. IRM manages the Department\xe2\x80\x99s computer networks.3 The Department\xe2\x80\x99s bureaus\nprovide mission-oriented systems and applications to Department users in support of their\nrespective functions. User access controls to these systems and applications, both physical and\nlogical controls, are administered by the respective bureaus and are required to meet the\nminimum control standards set forth in the Department\xe2\x80\x99s policies. The Chief Information\nOfficer (CIO) is responsible for directing and administering the Department\xe2\x80\x99s information\nsecurity program and for serving as the principal adviser to the Secretary of State on the\ndevelopment, implementation, and, as necessary, the revision of policies, plans, and programs for\ninformation resources management.\n\n       (U) National Institute of Standards and Technology (NIST) Special Publication (SP) 800-\n53, Revision 3,4 provides the recommended controls needed to enforce access to Federal\ninformation and information systems. For example, least privilege controls require \xe2\x80\x9conly\nauthorized accesses for users (and processes acting on behalf of users) that are necessary to\naccomplish assigned tasks in accordance with organizational missions and business functions.\xe2\x80\x9d\n\n       (U) The Department\xe2\x80\x99s FAM sets forth policies and procedures that require all personnel\naccessing the Department\xe2\x80\x99s automated information system (AIS) to be given access levels based\non a need-to-know5 basis, appropriate supervision, and knowledge of their AIS security\nresponsibilities.\n\n\n\n2\n  (U) OMB Circular A-130, Management of Federal Information Resources, app. III, \xe2\x80\x9cSecurity of Federal\nAutomated Information Resources.\xe2\x80\x9d\n3\n  (U) Computer networks are information systems implemented with a collection of interconnected components.\nSuch components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and\ntechnical control devices.\n4\n  (U) NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations, rev. 3,\nAug. 2009.\n5\n  (U) \xe2\x80\x9cNeed to know\xe2\x80\x9d is a method of isolating information resources based on users\xe2\x80\x99 needs to have access to that\nresource in order to perform their jobs but no more. The terms \xe2\x80\x9cneed to know\xe2\x80\x9d and \xe2\x80\x9cleast privilege\xe2\x80\x9d express the\nsame idea. \xe2\x80\x9cNeed to know\xe2\x80\x9d is generally applied to people, while \xe2\x80\x9cleast privilege\xe2\x80\x9d is generally applied to processes.\n                                                4\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n        (U) OMB Circular A-130, Appendix III, defines a \xe2\x80\x9cmajor application\xe2\x80\x9d as \xe2\x80\x9can application\nthat requires special attention to security due to the risk and magnitude of the harm resulting\nfrom the loss, misuse, or unauthorized access to or modification of the information in the\napplication.\xe2\x80\x9d Effective logical access controls are therefore paramount in preserving the\nconfidentiality, integrity, and availability of these applications. As of April 2011, the\nDepartment\xe2\x80\x99s Information Technology Asset Baseline6 (ITAB) contained 197 active major\napplications. To attain its audit objective, OIG planned to review logical access controls for a\nsample of major applications from ITAB. (Sampling details are in Appendix A.)\n\n                                               (U) Objective\n       (U) The objective of this audit was to determine the effectiveness of logical access\ncontrols pertaining to selected major applications used by the Department. Specifically, the audit\nwas to determine whether logical access controls were in place and were operating effectively.\n\n                                            (U) Audit Results\n        (SBU) OIG reviewed logical access processes and procedures around major applications\npertaining to account authorization, periodic account revalidation, concept of least privilege,7\nseparation of duties, audit log monitoring, and database vulnerability assessments. OIG\xe2\x80\x99s final\nsample comprised 19 major applications. OIG found weaknesses pertaining to logical access\ncontrols in the applications and related databases reviewed both domestically and at the three\nembassies visited during the audit: Embassy Buenos Aires, Embassy Madrid, and Embassy\nAccra. Of the 19 applications sampled, OIG performed a manual review of access controls\nprocesses and procedures for 168 applications and determined the following:\n    \xef\x82\xb7 (SBU)\xc2\xa0Of 16 applications, 11 had procedures in place for account authorization and 14\n        had access controls features that enforced the concept of least privilege. \xc2\xa0\n    \xef\x82\xb7 (SBU)\xc2\xa0Systems administrators for 13 of 16 applications did not have (b) (5)\n                                                \xc2\xa0\n    \xef\x82\xb7   (SBU)\xc2\xa0Systems administrators and personnel officers for 14 of 16 applications did not\n        have formal processes for obtaining formal notifications of (b) (5)\n                                       \xc2\xa0\n    \xef\x82\xb7   (SBU)\xc2\xa0For all 16 applications reviewed, there were no formal processes in place for\n        (b) (5)                   \xc2\xa0\n    \xef\x82\xb7   (b) (5)                                                                                                  \xc2\xa0\n\n\n6\n  (U) ITAB is the Department\xe2\x80\x99s official inventory of applications.\n7\n   (U) The concept of least privilege is the security objective of granting users only those accesses they need to\nperform their official duties.\n8\n   (U) Of the remaining three applications from OIG\xe2\x80\x99s sample of 19, two applications, the Consular Lookout and\nSupport System (CLASS) and the Automated Biometric Identification System (ABIS) were back-end processing\napplications and were not manually reviewed by OIG. The Travel Document Issuance System (TDIS) was not\nmanually reviewed because of the geographical distribution of its user base and OIG\xe2\x80\x99s resource limitations. Related\ndatabases for all three applications were subjected to automated scanning. Further, OIG reviewed the Consular\nElectronic Application Center (CEAC) and found that it is a public facing application, to which OIG\xe2\x80\x99s audit\nprocedures generally do not apply.\n                                                5\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                       SENSITIVE BUT UNCLASSIFIED\n\n       \xef\x82\xb7   (b) (5)\n                                                                                     (Database\n            vulnerability scans could not be conducted for six of 19 major applications in OIG\xe2\x80\x99s final\n            sample because of the scope limitations detailed in Appendix A, \xe2\x80\x9cScope and\n            Methodology.\xe2\x80\x9d) \xc2\xa0\n          (SBU) Based on the information cited, OIG found that overall progress has been made\n  toward the implementation of effective logical access controls for major applications but noted\n  that challenges remained. The Department needs to address several control weaknesses, as\n  described in Findings A\xe2\x80\x93E, that were found both domestically and at the three overseas\n  embassies OIG visited.\n\n  (SBU) Finding A. Protection of Sensitive Cables Remains a Challenge\n          (SBU) Two years after the Wikileaks incident, logical access controls for key cable-\n  related applications continued to have weaknesses (b) (5)                  Within OIG\xe2\x80\x99s sample\n                                                                                (b) (5)\n  of 19 major applications, two applications, NCD and SMART-C,\n                                               NCD was the application involved in the Wikileaks\n  cables incident. (b) (5)\n\n\n\n           (b) (5)\n\n\n\n\n         (U) The FAM11 requires the Department to establish \xe2\x80\x9cpersonnel security procedures\n  which require that all employees accessing any of the Department\'s classified automated\n  information system (AIS) processing resources . . . to have the appropriate access levels and need\n  to know in connection with the performance of official duties.\xe2\x80\x9d\n\n          (U) Further, the FAM12 states, \xe2\x80\x9cThe data center manager and the system manager enable\n  the audit trail feature on the operating system and install any required security software to record\n  security incidents listed in 12 FAM 637.1-9.\xe2\x80\x9d\n\n\n\n  9\n     (U) Telegrams, also called \xe2\x80\x9ccables,\xe2\x80\x9d are the official record of Department of State policies, program activities, post\n   operations, and personnel management. Official communications are to be preserved as a cable or a record e-mail.\n   These messages are available through several internal resources.\n(b) (b) (5)\n(5)11 (U) 12 FAM 631.1, \xe2\x80\x9cPersonnel Security.\xe2\x80\x9d\n   12\n      (U) 12 FAM 637.3-3, \xe2\x80\x9cEstablishing Audit Trails and Logs.\xe2\x80\x9d\n                                                    6\n                                       SENSITIVE BUT UNCLASSIFIED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\n(U) Net-Centric Diplomacy Application\n\n       (SBU) NCD was developed for the purpose of sharing diplomatic reporting information,\nincluding cables, with the Department and other Government agencies. This sharing of\ninformation is accomplished through the Secret Internet Protocol Router Network13 (SIPRNet).\nThe shared diplomatic cables consist of SIPDIS14 captioned cables. These are cables deemed\nappropriate for interagency sharing. In the Wikileaks incident, the alleged perpetrator\ndownloaded several thousand cables and is alleged to have provided this information to an\nunauthorized source.\n\n       (SBU) IRM officials stated that access to NCD via SIPRNet was discontinued after the\nWikileaks incident. However, as of March 12, 2012, when OIG met with IRM officials, OIG\nfound the following logical access controls weaknesses for NCD:\n     (b) (5)\n\n\n\n\n       (SBU) IRM officials stated that a project had been initiated to redesign NCD to address\nthe access control weakness after the Wikileaks incident. Per a plan of action provided to OIG\nby the NCD team (NCD.09.00.00 Plan of Action, dated February 12, 2012), the purpose of the\nredesign effort was to make software modifications to enhance the security posture of NCD. The\n\n13\n   (U) SIPRNet is the Department of Defense-funded, Defense Information Systems Agency-managed, secret-level\nclassified Intranet. SIPRNet provides Internet-like connectivity to a host of agencies throughout the Federal\nGovernment.\n14\n   (U) SIPDIS is the Department\xe2\x80\x99s distribution caption that facilitates inter-agency information sharing of classified\nand unclassified cables via the U.S. Government\xe2\x80\x99s SIPRNet.\n15\n   (U) Evaluation of Department of State Information Security Program (AUD/IT-12-14, Nov. 2011).\n16\n   Authentication means verifying the identity of a user, process, or device, often as a prerequisite to allowing access\nto resources in an information system.\n17\n   (U) \xe2\x80\x9cHard coded\xe2\x80\x9d means that data value or behavior is written directly into a program.\n18\n   (U) The source code is the form in which a computer program is written by the programmer.\n19\n   (U) The NCD redesign effort comprised four subprojects, known collectively as \xe2\x80\x9cEclipse.\xe2\x80\x9d\n                                                 7\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\nsoftware security requirements addressed in the redesign included the addition of user\nauthentication, implementation of code changes to reduce data vulnerabilities, configuration of\nthe non-SIPDIS caption exclusion capability, audit trail capability, user-based download\nthreshold alerts, ability to turn off certain NCD features, and the capability to remove comments\nto preserve integrity cables. (Details of these security enhancements are in Appendix C.)\nHowever, IRM officials stated that the enhancements had not been completed for three primary\nreasons: (1) a lack of technical expertise on the part of the contractor supporting the application;\n(2) difficulty finding contractor personnel with top secret/sensitive compartmented information\nclearances; and (3) difficulty in understanding the NCD application because the Bureau of\nResource Management did not provide the full source code for NCD, as well as sufficient\ndocumentation for the application, during the transition to IRM.\n\n(U) SMART-C Application\n\n       (SBU) SMART-C provides users with the ability to send e-mails and cables and can be\naccessed by users with ClassNet access. Regarding SMART-C, OIG determined the following:\n\n     \xef\x82\xb7   (SBU)\xc2\xa0All six post administrators at the embassies visited had unrestricted access to the\n         content of all captioned cables at their respective embassies. In addition, all four\n         SMART administrators at the Main State Messaging Center have unrestricted access to\n         the content of all cables. IRM officials stated that all the system administrators require\n         full access to cables so that they can collaboratively manage and troubleshoot issues such\n         as those related to the delivery of the cables. (b) (5)\n\n\n\n\n     \xef\x82\xb7   (SBU)\xc2\xa0SMART-C audit logs did not provide the information needed for post\n         administrators to detect abnormal end user or administrator activity. IRM Messaging\n         Office personnel stated that the current audit log capabilities of SMART-C were not\n         developed for post administrator use but for SMART-C developers to facilitate the\n         detection of application issues. Thus the audit log was useful to the development team\n         but was not useful for detecting unusual activity by users or administrators.\n\n     \xef\x82\xb7   (SBU)\xc2\xa0There was a lack of clarity regarding the use of Role Based Access Controls20\n         (RBAC) features, such as the use of Traffic Analysis by Geography and Subject21\n         (TAGS) captions, and dissemination rules among post administrators. Post\n         administrators stated that the lack of clarity regarding the RBAC features was due to\n         insufficient SMART training. When post administrators responsible for administering\n         and securing SMART-C are unclear about the application\xe2\x80\x99s security features,\n         confidentiality of the contents of captioned cables could be at risk.\n20\n   (U) RBAC is a model for controlling access to resources where permitted actions on resources are identified with\nroles rather than with individual subject identities.\n21\n    (U) TAGS are labels to help ensure that the right telegrams are seen by the right readers.\n                                                8\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n        (SBU) Some of the Federal Government\xe2\x80\x99s most sensitive information exists in cables\nstored in applications such as NCD and SMART-C. Without resolving the logical access\ncontrols issues inherent in these applications, an incident similar to Wikileaks could occur.\nAdditionally, if SMART-C administrators do not receive the appropriate training to enable them\nto fully understand and implement the RBAC features of the application, there is the risk that\nsensitive cables could be exposed to unintended audiences. Also, without a useful audit trail of\nuser activity in both NCD and SMART-C, administrators are less likely to detect and investigate\nsuspicious activity relating to cable access.\n\n       (SBU) Recommendation 1. OIG recommends that the Chief Information Officer\n       acquire the technical resources and implement the enhancements identified by the Net-\n       Centric Diplomacy (NCD) team in NCD.09.00.00 Plan of Action, dated February 12,\n       2012, to ensure that users do not have broader access to cables than what is required to\n       perform their duties.\n\n       (SBU) Management Response. IRM concurred with the recommendation, stating that\n       actions will be taken \xe2\x80\x9cto acquire the necessary technical resources to implement\xe2\x80\x9d the Plan\n       of Action. IRM further stated, \xe2\x80\x9cAs of June 11, 2012, these resources have been acquired\n       and a full team of developers is in place and actively working on the NCD.09.00.00\n       software release.\xe2\x80\x9d\n\n       (SBU) OIG Reply. OIG considers the recommendation resolved. This recommendation\n       can be closed when OIG reviews and accepts documentation showing actions IRM has\n       taken to enhance the security posture of NCD as detailed in the NCD.09.00.00 Plan of\n       Action.\n\n       (SBU) Recommendation 2. OIG recommends that the Chief Information Officer\n       establish standard training requirements for post Classified State Messaging and Archive\n       Retrieval Toolset (SMART-C) and ensure that system administrators receive required\n       training before they are assigned and annually thereafter.\n\n       (SBU) Management Response. IRM concurred with the recommendation, stating that\n       the Foreign Service Institute had \xe2\x80\x9cestablished week-long classroom and long distance\n       system administrator training based on training requirements from IRM.\xe2\x80\x9d\n\n       (U) OIG Reply. OIG considers the recommendation resolved. This recommendation\n       can be closed when OIG reviews and accepts documentation showing actions taken by\n       IRM to improve the training of system administrators.\n\n       (SBU) Recommendation 3. OIG recommends that the Chief Information Officer\n       implement logical access controls to ensure that system administrators do not have the\n       ability to read information within sensitive cables that they do not need to perform their\n       administrative duties.\n\n       (SBU) Management Response. IRM did not concur with the recommendation, stating\n       that because of \xe2\x80\x9ccritical mission functions of Embassies abroad, and the impact upon\n                                                 9\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                                          SENSITIVE BUT UNCLASSIFIED\n\n                 safety issues, Foreign Service Information Technology personnel are required to have full\n                 administrative access to all systems.\xe2\x80\x9d\n\n                 (SBU) OIG Reply. While OIG recognizes the critical nature of embassies\xe2\x80\x99 operations\n                 and the important role of Foreign Service Information Technology personnel,\n                 accountable and controlled access to sensitive information such as captioned cables must\n                 be maintained. A remedy to promote accountability and control, while granting access to\n                 legitimate information when needed, would be to assign system administrators unique\n                 accounts with permissions that logs access to information. This action, along with\n                 effective oversight, would help protect access to sensitive Department information and\n                 fix accountability. OIG considers this recommendation unresolved and will continue\n                 discussions with IRM during the audit compliance process to pursue implementation of\n                 the recommendation.\n\n                 (SBU) Recommendation 4. OIG recommends that the Chief Information Officer equip\n                 the Net-Centric Diplomacy (NCD) and Classified State Messaging and Archive Retrieval\n                 Toolset (SMART-C) applications with audit trail capabilities to log user and\n                 administrator activity.\n\n                 (SBU) Management Response. IRM concurred with the recommendation, stating that\n                 as of May 31, \xe2\x80\x9cThe audit trail capability had been implemented in NCD.\xe2\x80\x9d IRM further\n                 stated, \xe2\x80\x9cThe audit log contains ALL administrative changes to SMART.\xe2\x80\x9d IRM also\n                 stated that it, \xe2\x80\x9cin consultation with DS, will continue to seek [a] commercial or custom\n                 solution\xe2\x80\x9d that detects anomalies in major applications but that it \xe2\x80\x9chas been unable to find\n                 a COTS product that will validly detect anomalies.\xe2\x80\x9d\n\n                 (SBU) OIG Reply. OIG considers the recommendation resolved. This recommendation\n                 can be closed when OIG reviews and accepts documentation supporting audit trail\n                 capabilities and showing that the Department has implemented a solution that detects\n                 anomalies in major applications.\n(b) (5)\n\n\n\n\n      22\n           (U) 12 FAM 615.1, \xe2\x80\x9cAssistant Secretary, Bureau of Diplomatic Security (DS).\xe2\x80\x9d\n                                                      10\n                                          SENSITIVE BUT UNCLASSIFIED\n\x0c                                          SENSITIVE BUT UNCLASSIFIED\n   (b) (5)\n\n\n\n             (U) The FAM23 states, \xe2\x80\x9cDS/SI/CS [DS\xe2\x80\x99s Security Infrastructure Directorate, Computer\n      Security], the Evaluation and Verification Program personnel, must scan for vulnerabilities in the\n      information system24 periodically, as well as when significant new vulnerabilities affecting the\n      system are identified and reported.\xe2\x80\x9d\n(b) (5)\n\n\n\n\n      (SBU) Finding C. Account Management Procedures Need Strengthening\n\n              (SBU) OIG identified one or more account management deficiencies for the 16\n      applications reviewed. Specifically, system administrators and personnel officers generally did\n      not have formal processes for removing user and administrator access from applications when an\n      employee changed jobs within the Department, retired, or resigned. In addition, system\n      administrators did not perform either periodic account revalidation, which was contrary to\n      requirements in the FAM as well as being deleterious to system security. The deficiencies\n      occurred because system administrators were not adhering to the existing procedures for\n      performing these activities as prescribed in the FAM. Without ensuring that system owners\n\n\n      23\n        (U) 5 FAM 1065.5, \xe2\x80\x9cVulnerability Scanning.\xe2\x80\x9d\n      24\n        (U) The NIST glossary of key Information Security terms defines an \xe2\x80\x9cinformation system\xe2\x80\x9d as \xe2\x80\x9ca discrete set of\n      information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or\n      disposition of information.\xe2\x80\x9d Per this definition, the major applications in the scope of this audit and their related\n      databases are examples of the \xe2\x80\x9cinformation system\xe2\x80\x9d referenced in 5 FAM 1065.5.\n                                                      11\n                                          SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\ncomply with the FAM regarding the removal of unneeded accounts in a timely manner, there is\nthe risk of unauthorized access to information.\n\n(SBU) Removing User and Administrator Access\n\n        (SBU) OIG determined that for 14 of 16 major applications reviewed, standardized\nprocesses had not been implemented to ensure that system administrators were notified in a\ntimely manner (b) (5)\n\nThe FAM requires that personnel officers notify the data center manager, the system manager,\nand the Information Systems Security Officer (ISSO) immediately of any employee or contractor\nwho has access to the system whose employment has been terminated for any reason so that\naccess privileges can be revoked. (b) (5)\n\n\n          (SBU) Only one of the system administrators for the 16 major applications OIG\nreviewed was able to provide evidence of consistent notification from personnel officers to\nfacilitate the removal of accounts of departing employees. (b) (5)\n\n                                                                                    The system\nadministrators stated that they received notification of employee departures sometimes through\nthe employee\xe2\x80\x99s supervisor and other times from the employee as part of checkout procedures\nwhen an employee departed. One system administrator stated that he found out that an employee\nwas leaving the Department only after he received a group e-mail from the departing employee\nto the entire staff.\n\n(U) Account Revalidation\n\n          (SBU) OIG determined that for 13 of 16 applications reviewed, there were no\nstandardized processes for performing periodic account revalidation to identify accounts no\nlonger required. OIG found that the process was haphazard. For instance, one application\xe2\x80\x99s\nadministrator stated that revalidation was performed as part of his occasional troubleshooting of\naccount management issues. In another instance, a system administrator stated that e-mails were\nsent on a monthly basis to system owners requiring them to confirm accounts but that no\nresponses from system owners were received and no followup e-mails were sent. In other cases,\nno periodic account revalidation was performed. According to the FAM,26 \xe2\x80\x9cThe ISSO reviews\nthe list of AIS users on a periodic basis to determine whether all users are authorized access to\nthe AIS.\xe2\x80\x9d (b) (5)\n\n\n\n\n25\n     (U) 12 FAM 621.3-3, \xe2\x80\x9cSystem Access.\xe2\x80\x9d\n26\n     (U) 12 FAM 622.1-8, \xe2\x80\x9cMonitoring System Users.\xe2\x80\x9d\n                                               12\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n(SBU) Account Management Issues With Bureau of Consular Affairs Applications\n\n         (SBU) OIG found account management weaknesses specific to Bureau of Consular\nAffairs (CA) Consular Shared Tables application used in creating, synchronizing, and managing\nusers for consular applications including, but not limited to, the Passport Information Electronic\nRecords System (PIERS) and the Consular Consolidated Database (CCD) at the three embassies\nvisited (Buenos Aires, Madrid, and Accra). The following weaknesses were identified:\n\n        \xef\x82\xb7   (SBU)\xc2\xa0OIG determined that no formal processes existed at the three embassies to\n            facilitate the assignment of roles to new or transferring users. The consular managers\n            stated that they relied on experience in determining what roles should be assigned to\n            users. According to the FAM,27 the ISSO and system administrators must control and\n            limit access to the level necessary for users to perform their official duties. Without\n            implementing formal processes, there is the risk of users being given broader access\n            than required to perform their duties.\xc2\xa0\xc2\xa0\n            \xc2\xa0\n        \xef\x82\xb7   (SBU)\xc2\xa0OIG determined that multiple active accounts existed for three users in\n            Embassy Buenos Aires and four users in Embassy Madrid. (b) (5)\n\n\n\n\n            The consular managers also stated that they did not disable the previous accounts\n            because of an oversight on their part. According to the FAM,28 an authorized user\n            must initially be assigned a unique ID and password and may be assigned more than\n            one user ID and password only if it is required for the performance of the user\xe2\x80\x99s\n            duties. Without controlling the ability to create multiple user accounts, accountability\n            may be compromised, since transactions cannot be accurately traced to the actual\n            user.\n\n        \xef\x82\xb7   (SBU)\xc2\xa0OIG determined that accounts were not disabled for six users in Embassy\n            Buenos Aires and one user in Embassy Madrid who no longer worked at those\n            embassies. The consular managers stated that these accounts remained active because\n            of an oversight on their part. The FAM29 requires that the system manager, in\n            conjunction with the ISSO, revoke user access privileges for personnel who are\n            transferred or terminated. (b) (5)\n\n                                                           \xc2\xa0\n\n        \xef\x82\xb7   (SBU)\xc2\xa0OIG determined that all three embassies had not implemented a formal process\n            for provisioning users to the applications. Consular managers did not provide any\n\n\n27\n   (U) 12 FAM 622.1-2, \xe2\x80\x9cSystem Access Control.\xe2\x80\x9d\n28\n   (U) 12 FAM 622.1-3, \xe2\x80\x9cPassword Controls.\xe2\x80\x9d\n29\n   (U) 12 FAM 621.3-3, \xe2\x80\x9cSystem Access.\xe2\x80\x9d\n                                            13\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n                 reason as to why they did not have a formal process. According to the FAM,30\n                 supervisors must complete a system access request form for each staff member who\n                 requires access to the application. The FAM also requires that the ISSO and the\n                 system manager control and limit access to the level necessary for users to perform\n                 their official duties. Without following a formal and consistent process, there is a risk\n                 of unauthorized users being granted access to the applications. \xc2\xa0\n           (U) Recommendation 6. OIG recommends that the Bureau of Human Resources\n           institute a formal process to notify system owners on a monthly basis of employee\n           departures to ensure the timely removal of accounts of departing or transferring\n           employees.\n\n           (U) Management Response. HR did not state concurrence or nonconcurrence with the\n           recommendation. However, HR stated, \xe2\x80\x9cSince 2012, HR/EX, through coordination with\n           the office of the Managing Director of CGFS/DCFO (at that time RM/DCFO), has been\n           submitting a monthly Separation Report to all system owners for appropriate action.\n           DCFO regularly provides HR/EX with updates to the system owner distribution list. This\n           list includes designated points of contact as determined by System and Business\n           Managers throughout the Department.\xe2\x80\x9d\n\n           (U) The response further stated, \xe2\x80\x9cAt the time of origin, the Report was based upon the\n           effective Date of Separation as recorded in the Global Employment Management System,\n           GEMS. Due to the appearance of a gap in the data when individual actions were not\n           processed in a timely manner by bureaus, HR/EX revised the report logic so that, since\n           January 2012, it has been based upon the processed date. The report, of course,\n           continues to show the effective date so that system owners can take proper action. Due to\n           the fact [that] the requested HR report is in place and is distributed to system owners on a\n           monthly basis, DGHR respectfully requests that this recommendation be removed or\n           closed.\xe2\x80\x9d\n\n           (SBU) OIG Reply. The process HR explained indicates that HR is taking action to\n           address the issue of a process for notifying system owners of departing employees, but\n           there is a breakdown in the process. OIG determined that although monthly Separation\n           Reports are being submitted, system administrators were not receiving the results. IRM,\n           in coordination with HR, should determine why the monthly reports are not being\n           received.\n\n           (SBU) This recommendation is unresolved. This recommendation can be closed when\n           OIG reviews and accepts documentation showing that IRM, in coordination with HR, has\n           implemented actions to notify system owners of the personnel changes.\n\n           (SBU) Recommendation 7. OIG recommends that the Chief Information Officer (CIO)\n           require system owners to annually revalidate user and administrator accounts, remove\n\n\n30\n     (U) Ibid.\n                                               14\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\n           those accounts that no longer require access, and certify to the CIO that revalidation has\n           been completed.\n\n           (SBU) Management Response. IRM \xe2\x80\x9csubstantively agree[d]\xe2\x80\x9d with the\n           recommendation, stating that \xe2\x80\x9c[s]ystem owners will receive clear guidance to annually\n           revalidate user and administrator accounts and remove those accounts that no longer\n           require access.\xe2\x80\x9d\n\n           (SBU) OIG Rely. OIG considers the recommendation resolved. This recommendation\n           can be closed when OIG reviews and accepts the guidance issued to system owners\n           pertaining to annual revalidation requirements.\n\n           (SBU) Recommendation 8. OIG recommends that the Bureau of Consular Affairs (CA),\n           Office of Consular Systems and Technology, provide additional guidance to key users of\n           CA\xe2\x80\x99s applications at post to ensure that consular managers and other key users of those\n           applications understand administrative features related to creating and managing user\n           accounts for consular applications.\n\n           (SBU) Management Response. CA agreed with the recommendation, stating that it and\n           its Office of Consular Systems and Technology and Office of the Executive Director are\n           \xe2\x80\x9cworking to develop standard guidance for consular managers and key application users\n           to safeguard the integrity and accountability of consular processes.\xe2\x80\x9d CA further stated\n           that it \xe2\x80\x9cwill establish consistent procedures for regularly reviewing, validating, and\n           decommissioning user accounts, as well as adding, deleting, and modifying user roles to\n           ensure all users have appropriate access based on clearance level, citizenship status,\n           organization, and need to know.\xe2\x80\x9d\n\n           (SBU) OIG Reply. OIG considers the recommendation resolved. This recommendation\n           can be closed when OIG reviews and accepts guidance issued to consular managers and\n           key application users to safeguard the integrity and accountability of consular process.\n\n(SBU) Finding D. System Administrator Activities Are Not Monitored\nEffectively\n         (SBU) OIG determined, for all 16 major applications it reviewed, that audit logs\npertaining to system administrator activities were not being reviewed monthly by ISSOs, as\nrequired by the FAM.31 System administrators stated that because of limited staff, there was an\noperational need to provide all system administrators with the same permissions to enable other\nsystem administrators to perform the necessary tasks to continue operations when other\nadministrators were not available. However, when systems administrators all have the same\nlevel of privileged access to system resources and there is no effective oversight over their\nactivities, (b) (5)\n              Without periodic reviews of audit logs of administrator activity, potential security\nincidents may not be detected and resolved in a timely manner.\n31\n     (U) 12 FAM 629.2-7, \xe2\x80\x9cEstablishing and Review of Audit Trails/Logs.\xe2\x80\x9d\n                                                15\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c                                       SENSITIVE BUT UNCLASSIFIED\n\n              (SBU) Recommendation 9. OIG recommends that the Chief Information Officer\n              institute a formal process to require system owners to certify that the Information\n              Systems Security Officer has reviewed audit logs monthly in order to detect and resolve\n              potential security incidents in a timely manner.\n\n              (SBU) Management Response. IRM agreed with the recommendation, stating, \xe2\x80\x9cThe\n              ISSO and key system administrators of owning sites will be required to review audit logs\n              monthly in order to detect and resolve potential security incidents in a timely manner.\xe2\x80\x9d\n\n              (SBU) OIG Reply. OIG considers the recommendation resolved. This recommendation\n              can be closed when OIG reviews and accepts documentation showing that ISSOs and key\n              system administrators are reviewing audit logs monthly.\n\n    (SBU) Finding E. Patch Management Program for Databases Is Not Effective\n           (SBU) From a sample of 19 applications, OIG performed an automated vulnerability\n    assessment of databases related to 13 applications: seven applications from CA, four applications\n    from DS, and two applications from the Office of the Executive Secretary (ES). Based on its\n    review, OIG determined that the Department did not have an effective patch management\n    program for databases relating to six CA applications, four DS applications, and one ES\n    application. (b) (5)\n\n\n\n\n            (U) The FAM33 requires that system administrators follow guidelines and procedures\n    established by the Department\xe2\x80\x99s Enterprise Patch Management Program (EPM) and apply\n    patches in an expeditious manner.\n\n            (SBU) Specifically, OIG found 11 patching issues from its assessment of the databases\n    related to the following 13 applications reviewed:\n    (b) (5)\n\n\n\n\n(b) (5)\n    33\n      (U) 5 FAM 866, \xe2\x80\x9cPatch Management.\xe2\x80\x9d\n    34\n     (U) The systematic notification, identification, deployment, installation, and verification of operating system and\n    application software code revisions are known as \xe2\x80\x9cpatches,\xe2\x80\x9d \xe2\x80\x9chot fixes,\xe2\x80\x9d and \xe2\x80\x9cservice packs.\xe2\x80\x9d\n                                                   16\n                                       SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n          (b) (5)\n\n\n\n\n               \xef\x82\xb7    (U) Secretariat Telegram Processing System (STEPS II) \xe2\x80\x93 No patching issues were\n                    found with this database.\n(b) (5)\n\n\n\n\n           (U) The Department is a key steward of sensitive information such as passport records.\n    Up-to-date database patch installation can help mitigate vulnerabilities associated with flaws in\n    software code that may lead to unauthorized access to sensitive data.\n (b) (5)\n\n\n\n\n                                                 17\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n(b) (5)\n\n\n\n\n       (U) The 19 major applications reviewed and their related finding areas are shown in\nFigure 1.\n\n\n\n\n                                         18\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n\n(SBU) Figure 1. List of Major Applications and Related Finding Areas\n                                                           Findings\n                                                a\n                                        A      B                C                                 D      E\n                                                         b\n           Applications                                i        iic  iiid\nAutomated Biometric Identification\nSystem (ABIS)e\nConsular Consolidated Database (CCD)                                   \xe2\x88\x9a        \xe2\x88\x9a         \xe2\x88\x9a       \xe2\x88\x9a      \xe2\x88\x9a\nConsular Electronic Application Center                                                            \xe2\x88\x9a      \xe2\x88\x9a\n(CEAC)f\nConsular Lookout and Support System                                                                      \xe2\x88\x9a\n(CLASS)\nCrisis Emergency Planning Application                                  \xe2\x88\x9a        \xe2\x88\x9a                 \xe2\x88\x9a      \xe2\x88\x9a\nClassified (CEPA-C)\nElectronic State Configuration Resource-                               \xe2\x88\x9a        \xe2\x88\x9a                 \xe2\x88\x9a\nClassNet (e-SCORE)\nInvestigative Management System                                        \xe2\x88\x9a        \xe2\x88\x9a                 \xe2\x88\x9a      \xe2\x88\x9a\n(IMS-C)\nNet-Centric Diplomacy (NCD)                        \xe2\x88\x9a                   \xe2\x88\x9a        \xe2\x88\x9a                 \xe2\x88\x9a\nPassport Information Electronic Records                                \xe2\x88\x9a        \xe2\x88\x9a         \xe2\x88\x9a       \xe2\x88\x9a      \xe2\x88\x9a\nSystem (PIERS)\nSecretariat Telegram Processing System                                 \xe2\x88\x9a                          \xe2\x88\x9a\n(STEPS II)\nSecretariat Tracking and Retrieval System                              \xe2\x88\x9a                          \xe2\x88\x9a      \xe2\x88\x9a\n (STARS)\nSecure Integrated Logistics Management                                          \xe2\x88\x9a                 \xe2\x88\x9a\nSystem (S-ILMS)\nSecurity Incidents (SECINTS)                                           \xe2\x88\x9a        \xe2\x88\x9a                 \xe2\x88\x9a      \xe2\x88\x9a\nSMART Core Messaging-Classified                    \xe2\x88\x9a                   \xe2\x88\x9a        \xe2\x88\x9a                 \xe2\x88\x9a\n(SMART-C)\nState Archiving System 2 (SAS 2)                                       \xe2\x88\x9a        \xe2\x88\x9a                 \xe2\x88\x9a\nSY Namecheck (SYNCH)                                                   \xe2\x88\x9a        \xe2\x88\x9a                 \xe2\x88\x9a      \xe2\x88\x9a\nThe Office of Foreign Missions                                         \xe2\x88\x9a        \xe2\x88\x9a                 \xe2\x88\x9a\ninformation\nTravel Document Issuance System TDIS)                                                                    \xe2\x88\x9a\nVisa Opinion Information Service (VOIS)                                \xe2\x88\x9a        \xe2\x88\x9a                 \xe2\x88\x9a      \xe2\x88\x9a\n(U) a\n      Finding B is not specific to any application.\n(SBU) b\n        Removing user and administrator access.\n(SBU) c\n        Account revalidation.\n(U) d\n      See section \xe2\x80\x9cAccount Management Issues With Bureau of Consular Affairs Applications\xe2\x80\x9d in report.\n(U) e\n      OIG understood that CLASS and ABIS are back-end processing applications, so these applications were not\nmanually reviewed by OIG. TDIS was not reviewed because of the geographical distribution of its user base and\nOIG resource limitations. However, OIG performed a vulnerability scan on these applications\xe2\x80\x99 databases.\n(U) f\n      CEAC is a public facing Web site. OIG\xe2\x80\x99s limited manual review areas applied to this application. However,\nOIG performed a vulnerability scan on its database.\n(U)\n    Source: OIG analysis.\n\n\n\n                                              19\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n                               (U) List of Recommendations\n\n(SBU) Recommendation 1. OIG recommends that the Chief Information Officer acquire the\ntechnical resources and implement the enhancements identified by the Net-Centric Diplomacy\n(NCD) team in NCD.09.00.00 Plan of Action, dated February 12, 2012, to ensure that users do\nnot have broader access to cables than what is required to perform their duties.\n\n(SBU) Recommendation 2. OIG recommends that the Chief Information Officer establish\nstandard training requirements for post Classified State Messaging and Archive Retrieval Toolset\n(SMART-C) and ensure that system administrators receive required training before they are\nassigned and annually thereafter.\n\n(SBU) Recommendation 3. OIG recommends that the Chief Information Officer implement\nlogical access controls to ensure that system administrators do not have the ability to read\ninformation within sensitive cables that they do not need to perform their administrative duties.\n\n(SBU) Recommendation 4. OIG recommends that the Chief Information Officer equip the Net-\nCentric Diplomacy (NCD) and Classified State Messaging and Archive Retrieval Toolset\n(SMART-C) applications with audit trail capabilities to log user and administrator activity.\n\n(SBU) Recommendation 5. (b) (5)\n\n\n\n(U) Recommendation 6. OIG recommends that the Bureau of Human Resources institute a\nformal process to notify system owners on a monthly basis of employee departures to ensure the\ntimely removal of accounts of departing or transferring employees.\n\n(SBU) Recommendation 7. OIG recommends that the Chief Information Officer (CIO) require\nsystem owners to annually revalidate user and administrator accounts, remove those accounts\nthat no longer require access, and certify to the CIO that revalidation has been completed.\n\n(SBU) Recommendation 8. OIG recommends that the Bureau of Consular Affairs (CA), Office\nof Consular Systems and Technology, provide additional guidance to key users of CA\xe2\x80\x99s\napplications at post to ensure that consular managers and other key users of those applications\nunderstand administrative features related to creating and managing user accounts for consular\napplications.\n\n(SBU) Recommendation 9. OIG recommends that the Chief Information Officer institute a\nformal process to require system owners to certify that the Information Systems Security Officer\nhas reviewed audit logs monthly in order to detect and resolve potential security incidents in a\ntimely manner.\n\n(SBU) Recommendation 10. (b) (5)\n\n                                          20\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c          SENSITIVE BUT UNCLASSIFIED\n(b) (5)\n\n\n\n\n                      21\n          SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n                                                                                           (U) Appendix A\n                                   (U) Scope and Methodology\n        (U) The focus of this audit was to determine whether the Department had developed\neffective logical access controls around its major applications and related databases and provided\nmanagement with timely results regarding the effectiveness of these controls.\n\n       (U) OIG interviewed application and systems administrators and obtained the necessary\nevidence and documentation to gain an understanding of logical access controls around the\napplications in the scope of the audit.\n\n        (U) In addition, OIG used commercial-off-the-shelf (COTS) database scanning software\nto perform database vulnerability assessments. OIG selected DbProtect, a product created by\nApplication Security, Inc., and configured the software to utilize the built-in Defense\nInformation Systems Agency Security Technical Implementation Guide for databases, which\nmeets the requirements of the Department\xe2\x80\x99s database configuration policies. DbProtect was used\nto perform a vulnerability and configuration scan against a sample of the Department\xe2\x80\x99s databases\nand highlighted areas of risk and where database security process improvements were needed.\nBased on this analysis, the software provided detailed remediation instructions to eliminate\ndatabase vulnerabilities and misconfigurations. OIG met with Database Administrators to\nvalidate the results to ensure that false positives were eliminated.\n\n        (U) To evaluate the adequacy of the logical access controls for the selected applications\nand related databases, OIG used the following criteria:\n\n    \xef\x82\xb7   (U) Department policies and procedures in the Foreign Affairs Manual (FAM).\n    \xef\x82\xb7   (U) Office of Management and Budget (OMB) Circular No. A-130, Appendix III.1\n    \xef\x82\xb7   (U) National Institute of Standards and Technology (NIST) Special Publications (SP) and\n        Federal Information Processing Publications Standards (FIPS).\n    \xef\x82\xb7   (U) Memorandum M-11-06, Memorandum for the Heads of Executive Departments and\n        Agencies, \xe2\x80\x9cWikiLeaks\xe2\x80\x94Mishandling of Classified Information,\xe2\x80\x9d November 28, 2010.\n       (U) The Office of Inspector General (OIG) performed this audit from December 2011\xe2\x80\x93\nMay 2012 in accordance with generally accepted government auditing standards. Those\nstandards require that OIG plan and perform the audit to obtain sufficient, appropriate evidence\nto provide a reasonable basis for the findings and conclusions based on the audit objective. OIG\nbelieves that the evidence obtained provides a reasonable basis for the findings and conclusions\nbased on the audit objective.\n\n       (U) OIG discussed its findings and proposed recommendations with officials from the\nDepartment of State\xe2\x80\x99s (Department) Bureau of Administration, the Bureau of Diplomatic\nSecurity (DS), the Bureau of Human Resources (HR), the Bureau of Information Resource\nManagement (IRM), the Bureau of Intelligence and Research (INR), the Bureau of Overseas\n\n1\n (U) OMB Circular A-130, Management of Federal Information Resources, app. III, \xe2\x80\x9cSecurity of Federal\nAutomated Information Resources.\xe2\x80\x9d\n                                             22\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\nBuildings Operations (OBO), and the Executive Office of the Secretary on June 27, 2012.\nAdditionally, management staffs at Embassy Buenos Aires (Argentina), Embassy Madrid\n(Spain), and Embassy Accra (Ghana) were briefed on preliminary findings on January 27,\nFebruary 3, and February 10, 2012, respectively.\n\n(U) Scope Limitation\n\n        (U) According to the FAM,2 DS is responsible for conducting vulnerability assessments\nrelated to the Department\xe2\x80\x99s network systems. Since DS was already positioned to perform the\nnetwork assessments, OIG made an effort to conduct database vulnerability scans as part of the\naccess controls audit using DS infrastructure.\n\n       (U) To conduct database scans outside the DS domain, OIG requested and then created a\nnew service account for its scanning tool DbProtect. However, this new service account lacked\nthe necessary permissions on the DbProtect console to enable the tool to work properly. OIG\nrequested that the newly created service account be added to the local administrative group on\nthe console to give the tool the same rights that enabled it to scan databases within the DS\ndomain. OIG determined that the new service account was never added to the local\nadministrator group as requested. On the appointed scan date, DS officials told OIG that the\nnewly created account had expired. DS officials attempted to recreate the account but were\nunable to do so within the timeframe required to meet the scanning schedule.\n\n(U) Work Related to Internal Controls\n\n        (U) OIG performed steps to assess the adequacy of internal controls by performing\nmanual and automated assessments of logical access controls around major applications and\nrelated databases. For example, OIG conducted manual assessments at three embassies,\nincluding determining whether accounts were properly authorized, periodic account revalidation\nwas performed, concept of least privilege was implemented, adequate oversight existed over\nsystem administrators, and the Department\xe2\x80\x99s patch management program for database\nmanagement systems was effective. Furthermore, OIG used an industry-recognized vulnerability\nassessment tool to test logical access control weaknesses in the databases related to the major\napplications in the scope of this report. The assessment tool was configured to utilize the\nDepartment\xe2\x80\x99s standard database security configuration settings as a basis for identifying any\nlogical access control weaknesses. OIG validated the results of the assessment with database\nadministrators to ensure that certain application-dependent settings identified by the tool as a\nfinding were ruled out.\n       (U) The internal control deficiencies identified during this audit are detailed in the \xe2\x80\x9cAudit\nResults\xe2\x80\x9d section of this report.\n\n\n\n\n2\n    (U) 12 FAM 615.1, \xe2\x80\x9cAssistant Secretary, Bureau of Diplomatic Security (DS).\xe2\x80\x9d\n                                                23\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n(U) Use of Computer-Processed Data and Data Reliability\n\n        (U) To assess the reliability of computer-processed data, OIG reviewed electronic\ndocumentation related to the data sources and performed tracing of data to source\ndocumentation. More specifically, OIG obtained, from IRM, a listing of major applications and\nthen verified the accuracy of this list by confirming the existence of each application on the list\nin Information Technology Asset Baseline (ITAB), the Department\xe2\x80\x99s official inventory of major\napplications. From these efforts, OIG determined that the data were sufficiently reliable to\nsupport the conclusions and recommendations in this report.\n\n(U) Detailed Sampling Methodology\n\n        (U) OIG\xe2\x80\x99s sampling objective was to assess the effectiveness of logical access controls\naround the Department\xe2\x80\x99s major applications. Specifically, the testing of a sample of major\napplications will assist in determining whether logical access controls are in place and operating\neffectively.\n\n       (U) This work was conducted at the domestic bureaus and the three embassies listed. The\napplications selected for review were obtained using a nonstatistical sampling method known as\njudgmental sampling. Because this method uses discretionary criteria to effect sample selection,\nthe audit team was able to use information garnered during its preliminary work to aid in making\ninformed selections.\n\n        (U) Prime considerations in selecting the three overseas sites included the geographical\ndistribution of the posts, the recency of OIG site visits, and the nature of the controls to be\nevaluated. The major applications under review and their related application controls have been\ngenerally implemented uniformly at all overseas posts; consequently, OIG was able to gain a\nperspective of overseas conditions pertaining to the design and operating effectiveness of these\ncontrols in general from visiting these three locations.\n\n(U) Identification of Population and Selection of Samples\n\n      (U) After identifying ITAB as the Department\xe2\x80\x99s official inventory of major applications,\nOIG requested and received from IRM a listing of all active major applications as of April 5,\n2011. The sum of the inventory, or population, was 197 applications.\n\n       (U) In ITAB, the major applications are generally assigned to one of three categories\xe2\x80\x94\nHigh, Moderate, and Low\xe2\x80\x94based on their potential impact level.3 However, OIG noted that\nsome applications in the population did not have an assigned category; consequently, a fourth\ncategory was added.\n\n        (U) To attain the maximum audit coverage given the available resources, OIG grouped\nthe entire population of 197 applications into the four categories and then judgmentally\n\n3\n (U) FIPS 199, \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d Feb.\n2004.\n                                              24\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\ndetermined the number of applications to sample and review from each category based on\nvarious factors. For instance, OIG opted to review all of the applications in the High category\nbecause of the relatively small number of applications in that group and their potential impact.\nFor all the other categories, however, a sample of the applications was selected for review, and\nthis was generally accomplished randomly, although this was not always the case. For the\nModerate category, four applications were selected for the original sample. Two of these\napplications were selected randomly, and the other two applications, Passport Information\nElectronic Records System (PIERS) and the Travel Document Issuance System (TDIS), were\nselected purposely since they had been selected for audit in an audit plan for a prior year but had\nto be deferred because of resource constraints. All 35 of the original samples were selected in\nthis manner, and OIG ultimately sampled and reviewed only 19 of the original samples shown in\nTable 1.\n\n(U) Table 1. Population and Samples for the Department\xe2\x80\x99s Major Applications\n                         Population        Original Sample          Exclusions From           Final Sample\n Category                  Total                 Size               Original Sample               Size\n High                       28                    27*                       10                       17\n Moderate                  125                      4                        2                        2\n Low                        17                      2                        2                        0\n Uncategorized              27                      2                        2                        0\n            Total          197                     35                       16                       19\n*Although DS Source was in ITAB, the official inventory of the Department\xe2\x80\x99s major applications, it was excluded\nfrom the original sample because it resides on the U.S. Government\xe2\x80\x99s SIPRNet and not on the Department\xe2\x80\x99s\nNetwork. This effectively reduced the population of \xe2\x80\x9cHigh\xe2\x80\x9d applications from 28 to 27.\n\n        (U) Descriptive information on the original sample of 35 major applications, which\nsubsumes the final sample actually reviewed by OIG of 19 applications, as well as explanations\nfor the exclusion of 16 applications from the final sample, are provided in Table 2.\n\n(SBU) Table 2. Original and Final Samples of the Department\xe2\x80\x99s Major Applications\n                                                                               Excluded From or Included in\n       System                            ITAB Description                             the Final Sample\n Secure Integrated        Secure ILMS is a secure version of ILMS.           Included in final sample, but OIG\n Logistics                S-ILMS is a Web-based system that will             was not able to perform all the\n Management System        enhance the Department\'s ability to manage         work originally planned because of\n (S-ILMS)                 its requisitioning, procurement, receiving,        a scope limitation (see \xe2\x80\x9cScope\n                          and distribution on the classified network         Limitation\xe2\x80\x9d in this appendix).\n                          (ClassNet).\n State Archiving          SAS2 provides access to the Department\xe2\x80\x99s           Included in final sample, but OIG\n System 2 (SAS 2)         automated Central Foreign Policy File.             was not able to perform all the\n                          SAS2 captures all significant substantive          work originally planned because of\n                          reporting between the Department and its           a scope limitation (see \xe2\x80\x9cScope\n                          overseas posts.                                    Limitation\xe2\x80\x9d in this appendix).\n Automated                ABIS is a Commercial Off-the-Shelf (COTS)          Included in final sample.\n Biometric                product developed by Identix Incorporated.\n Identification           The ABIS system is an enterprise-level\n System (ABIS)            facial-recognition matching program.\n                                              25\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n                                                                           Excluded From or Included in\n       System                       ITAB Description                              the Final Sample\nConsular Affairs      The CACLI Web site was the direct result of        Excluded because application was\nClassified Intranet   a congressional mandate requiring a                retired during audit.\n(CACLI)               consolidated repository of information\n                      pertaining to terrorist trends and activities to\n                      be utilized by consular personnel.\nConsular              The Consular Consolidated Database is a set        Included in final sample.\nConsolidated          of databases located in Washington, DC, that\nDatabase (CCD)        hold all current data and all archived data\n                      from all CA post databases around the world.\nConsular Electronic   The Consular Electronic Application Center         Included in final sample.\nApplication Center    is an Internet-based full service application\n(CEAC)                service center whereby applicants for visa\n                      services can complete and submit an\n                      application.\nConsular Lookout      The Consular Lookout and Support System            Included in final sample.\nand Support System    (CLASS) is used by passport agencies,\n(CLASS)               consulates, and border inspection agencies to\n                      perform name checks on visa and passport\n                      applicants in support of the issuance process.\nVisa Opinion          VOIS is a .NET Web application with single         Included in final sample.\nInformation Service   sign-on authentication provided by the\n(VOIS)                Consular Consolidated Database (CCD)\n                      DataMart.\nAlarmNet              AlarmNet provides the connectivity for the         Excluded because of resource\n                      Department of State Domestic Access                constraints.\n                      Control and Intrusion Detection system. It is\n                      the backbone of the system that lets you into\n                      the building.\nCrisis Emergency      CEPA-C assists posts in the development of         Included in final sample.\nPlanning              their emergency action plans according to the\nApplication           new Emergency Planning Handbook.\nClassified\n(CEPA-C)\nFreedom of        The Freedom of Information Act (FOIA)                  Excluded because application was\nInformation SystemCase Tracking System is a fully automated              retired during audit.\n(FOIA)            system designed to easily track and maintain\n                  all case information and activities resulting\n                  from requests for information.\nInvestigative     IMS-C captures all classified case-related             Included in final sample.\nManagement System information; automates, integrates, and\n(IMS-C)           improves DS\xe2\x80\x99s investigative business\n                  processes; establishes a central index\n                  encompassing all DS classified\n                  investigations; and provides investigative\n                  and/or intelligence analysis and analytical\n                  processing while creating internal and\n                  external electronic data sharing.\n\n                                         26\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                               SENSITIVE BUT UNCLASSIFIED\n\n                                                                          Excluded From or Included in\n      System                          ITAB Description                           the Final Sample\nPost Security Profile   The Post Security Profile Application           Excluded because application was\nApplication (PSPA)      (PSPA) will support the DS\xe2\x80\x99s mission.           retired during audit.\n                        PSPA stores crisis plans for posts worldwide.\nSecurity Incidents      Provides a method of tracking violations        Included in final sample.\n(SECINTS)               reported on the handling, storage, and\n                        reproduction of information as well as the\n                        protection of automated information systems.\nSY Namecheck            SYNCH, which is owned and maintained by         Included in final sample.\n(SYNCH)                 DS, automates the tasks associated with\n                        tracking personnel clearance status and\n                        clearance folder locations.\nThe Office of           The Office of Foreign Missions Information      Included in final sample, but OIG\nForeign Missions        System (TOMIS) is an integrated, custom         was not able to perform all the\nInformation System      application system designed to support          work originally planned because of\n(TOMIS)                 Office of Foreign Missions (OFM) and Chief      a scope limitation (see \xe2\x80\x9cScope\n                        of Protocol (S/CPR) activities.                 Limitation\xe2\x80\x9d in this appendix).\nCOMSEC                  CARDS is required to support the                Excluded because of resource\nAccounting              Department\xe2\x80\x99s electronic Black Key               constraints.\nReporting and           Distribution System (BKDS) and\nDistribution System     Communications Security (COMSEC)\n(CARDS)                 accounting and inventory functions world-\n                        wide via ClassNet.\nElectronic State        This is a Web-based configuration               Included in final sample, but OIG\nConfiguration           management system for Department                was not able to perform all the\nResource \xe2\x80\x93 ClassNet     information technology (IT) hardware and        work originally planned because of\n(ClassNet e-            software domestically and overseas.             a scope limitation (see \xe2\x80\x9cScope\nSCORE)                  ClassNet e-SCORE contains classified post       Limitation\xe2\x80\x9d in this appendix).\n                        information, and component-level IT\n                        hardware and software information.\nMachine Readable        The Machine Readable Travel Document            Excluded because of resource\nTravel Document         (MRTD) Public Key Infrastructure (PKI) is a     constraints.\nPublic Key              system of hardware, software, and policies\nInfrastructure and      that enables digital signing of data embedded\nSignature Delivery      on electronic passports.\nService (MRTD PKI\nand SDS)\nNet-Centric             The NCD system is designed expressly to         Included in final sample, but OIG\nDiplomacy (NCD)a        share diplomatic reporting information with     was not able to perform all the\n                        the Department and the interagency              work originally planned because of\n                        community on the U.S. Government\xe2\x80\x99s              a scope limitation (see \xe2\x80\x9cScope\n                        SECRET network, accessible to all               Limitation\xe2\x80\x9d in this appendix).\n                        Department employees through the\n                        Department\xe2\x80\x99s ClassNet network.\nPublic Key              The Department\'s Public Key Infrastructure      Excluded because of resource\nInfrastructure and      is a system of hardware, software, and          constraints.\nBLADE                   policies that provide an infrastructure\n(PKI/BLADE)             enabling both digital signature and strong\n\n                                           27\n                               SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n                                                                          Excluded From or Included in\n      System                        ITAB Description                            the Final Sample\n                       cryptography across the enterprise.\nSMART Core             SMART is a software integration and               Included in final sample, but OIG\nMessaging-             development project to reengineer and             was not able to perform all the\nClassified (SMART-     modernize the formal and working                  work originally planned because of\nC)                     messaging processes and systems in the            a scope limitation (see \xe2\x80\x9cScope\n                       Department. SMART Core Messaging                  Limitation\xe2\x80\x9d in this appendix).\n                       provides direct, secure, and controlled\n                       communication to employees worldwide and\n                       to other Government agencies.\nProjNet-C              ProjNet-C is the classified version of            Excluded because of resource\n                       ProjNet. ProjNet facilitates construction         constraints.\n                       project design reviews. Design documents\n                       for specific construction project are made\n                       available on a need-to-know basis through a\n                       secure extranet allowing on-line\n                       collaboration between architecture firms and\n                       OBO staff.\nChief of Mission       This automated application supports the           Excluded because of resource\nand Special            information requirements of the Chiefs of         constraints.\nEmbassy Programs       Mission Authority, National Security\nDatabase (CSEP)        Decision Directive-38, and the Office of\n                       Rightsizing (M/MR). The database\n                       maintained by this application contains\n                       detailed data on full-time permanent\n                       American Department of State positions.\nSecretariat Tracking   STARS is a critical application that tracks       Included in final sample.\nand Retrieval          approximately 70,000 foreign policy\nSystem (STARS)         memoranda (action, briefing, and\n                       information) and correspondence for the\n                       Secretary and six Principal Officers of the\n                       Department. STARS provides a store of\n                       document images.\nSecretariat Telegram   STEPS stores, handles, and routes telegrams.      Included in final sample.\nProcessing System      Designed to help deliver telegrams to the\n(Second Edition) \xe2\x80\x93     Principals and other appropriate offices as\n(STEPS II)             quickly as possible. Receives telegrams from\n                       the State communications center and\n                       disseminates them to POEMS users.\nWREN                   The Secretary\'s Worldwide Remote Email            Excluded because of resource\n                       Network (WREN) provides the Secretary             constraints.\n                       with a mobile communications package in\n                       support of a fully transportable computer\n                       network.\nElectronic Visa        EVAF is an on-line version of form DS-156         Excluded because of resource\nApplication Form       for the Internet. Applicants are able to enter    constraints.\n(EVAF)                 data directly into the on-line data entry forms\n                       and then generate and print the completed\n\n                                          28\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n                                                                       Excluded From or Included in\n      System                        ITAB Description                         the Final Sample\n                     application forms for presentation to post.\nRemote Data Entry    RDS is used overseas to assist in the            Excluded because application was\nSystem (RDS)         collection on nonimmigrant visa applicant        retired during audit.\n                     data. There are two application components:\n                     RDS Client Software and RDS Server\n                     Software. The RDS Client software is\n                     distributed to remote sites outside the\n                     Consulates. The server software is used to\n                     connect to the Non-Immigrant Visa (NIV)\n                     database over the network and upload data\n                     collected by the client software.\nPassport Information The PIERS system, PIERS Query, replaces          Included in final sample.\nElectronic Records   Passport Files miniaturization Web (PFM\nSystem (PIERS)b      Web) and Passport Files Miniaturization\n                     (PFM). PIERS Query is the single Web\n                     portal for all passport data.\nTravel Document      TDIS is the Parent for the automated             Included in final sample.\nIssuance System      passport system that issues electronic\n(TDIS)c              machine-readable passports domestically in\n                     conformance with worldwide standards\n                     established by the International Civil\n                     Aviation Organization (ICAO).\nBudget Allocation    The Budget Allocation Tracking System            Excluded because of resource\nTracking System      (BATS) is an HROnline component                  constraints.\n(BATS)               application used for tracking and controlling\n                     HR budgets, commitments, obligations, and\n                     expenditures against the various HR\n                     appropriations, allotments, organizations,\n                     functions, and object codes.\nF-77                 The F-77, \xe2\x80\x9cReport of Potential Evacuees,\xe2\x80\x9d is     Excluded because of resource\n                     submitted by all Foreign Service posts. The      constraints.\n                     reports provide detailed data on the number\n                     and location of American citizens and other\n                     potential evacuees abroad.\n\n\nConsular Visa         The visa consolidation program is a strategic   Excluded because of resource\nSystems (CVS)d        effort that will transform and modernize the    constraints.\n                      systems supporting visa operations\n                      domestically at Department headquarters, the\n                      Kentucky Consular Center (KCC), the\n                      National Visa Center (NVC), and overseas at\n                      all visa processing posts.\nExecutive Agency      The Executive Agency Personnel Support          Excluded because of resource\nPersonnel Support     (EAPS) system is a Web-based application        constraints.\n(EAPS)                used to review, validate, audit, and\n                      continuously manage individual agencies\xe2\x80\x99\n\n                                         29\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n                                                                                  Excluded From or Included in\n        System                          ITAB Description                                the Final Sample\n                           overseas personnel, assignment, and position\n                           data.\na\n  (SBU) This application was the source of the Wikileaks Department of State documents.\nb\n   (U) This system had previously been selected for audit as a followup to report Review of Controls and Notification\nfor Access to Passport Records in the Department of State\xe2\x80\x99s Passport Information Electronic Records System\n(PIERS) (AUD/IP-08-29, July 2008) and therefore was not part of the random sample.\nc\n  (U) Ibid.\ne\n  (U) This application has since been withdrawn.\n(U) Source: OIG analysis.\n\n\n\n\n                                               30\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\n                                                                                             Appendix B\n\n                 (U) Office of Inspector General Reports Related to Audit\n\n        (U) Reports issued by the Office of Inspector General (OIG), Office of Audits, identified\nareas of weaknesses in access controls.\n\n      \xef\x82\xb7    (U) Review of Department of State Information Security Program (AUD/IT-11-07,\n           November 2010)\n\n           (U) In this review, OIG found that the application software that controls access to\n           OpenNet Everywhere (ONE) software, which is the Department of State\xe2\x80\x99s (Department)\n           remote access tool, was configured to allow the use of a non-NIST compliant encryption\n           algorithm.1 Additionally, OIG found that ONE was not configured to terminate a user\xe2\x80\x99s\n           online session after 20 minutes of inactivity. The Foreign Affairs Manual2 (FAM)\n           requires remote access program managers to configure the remote session to terminate\n           \xe2\x80\x9cafter 20 minutes of inactivity.\xe2\x80\x9d OIG is awaiting confirmation on the status of the related\n           recommendations from the Department.\n\n           (U) Further, OIG found issues with the Department\xe2\x80\x99s continuous monitoring program,\n           including access controls around applications. Specifically, OIG found that scanning\n           tools used by the Department do not assess Oracle configurations for control weaknesses,\n           which could adversely impact application access controls. Scanning results for routers,\n           firewalls, and Demilitarized Zone servers are therefore not captured in iPost, the\n           Department\xe2\x80\x99s main continuous monitoring tool.\n\n      \xef\x82\xb7    (U) Review of Controls and Notification for Access to Passport Records in the\n           Department of State\xe2\x80\x99s Passport Information Electronic Records System (PIERS)\n           (AUD/IP-08-29, July 2008)\xc2\xa0\n\n           (U) In this review, OIG found that the Department had not implemented adequate\n           controls to prevent or detect unauthorized access, similar to those controls in place at the\n           Internal Revenue Service and the Social Security Administration. At those two agencies,\n           large amounts of electronic Personally Identifiable Information (PII) are protected by\n           access controls, such as having tiered user access permissions for granting access at level\n           needed (for example, limited to full), blocking user access from certain records, and\n           conducting audits of access activity logs. The related recommendation has not been\n           closed as of June 2012.\n\n        (U) OIG\xe2\x80\x99s Office of Inspections issued one report related to the current audit that\nidentified access weaknesses.\n\n\n\n1\n    (U) Information Security Program at the Department of State (AUD/IT-11-07, Nov. 2010).\n2\n    (U) 12 FAM 682.2-3, \xe2\x80\x9cConfiguring Remote Access Accounts.\xe2\x80\x9d\n                                                31\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\n\xef\x82\xb7   (U) Inspection of the Bureau of Consular Affairs, Office of Consular Systems and\n    Technology (ISP/I-11-51, May 2011)\n\n    (U) Access control weaknesses were noted in this report. One key judgment noted was\n    the following: \xe2\x80\x9cAccess controls for assigning and tracking user accounts in various\n    critical systems in the Office of Consular Systems and Technology (CST) need to be\n    strengthened.\xe2\x80\x9d Specifically, the report noted, among other weaknesses, that Government\n    supervisors were not able to verify that contractor Database Administrator (DBA) roles\n    and responsibilities accurately reflected their assigned duties. Therefore, the potential\n    existed for a developer or DBA to perform other activities such as testing and/or\n    migrating changes to production without anyone being aware of these actions, which\n    leads to inadequate separation of duties issues. Also, the contractor DBA\xe2\x80\x99s user accounts\n    are created and monitored by contractors themselves. Although CST government\n    management approval is required at the initial user access request, there is no regular\n    Government staff review to ensure that continued access is necessary for contract staff.\n    The report identified two recommendations related to access controls that were\n    unresolved as of June 2012.\n\n\n\n\n                                     32\n                         SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n                                                                                      Appendix C\n\n           (SBU) Proposed Net-Centric Diplomacy Security Enhancements\n           (SBU) The Net-Centric Diplomacy (NCD) team has initiated an application redesign\n   project aimed at enhancing the security posture of NCD. Per a plan of action provided to the\n   Office of Inspector General (OIG) by the NCD team (NCD.09.00.00 Plan of Action dated\n   February 12, 2012), the purpose of the redesign effort was to make software modifications to\n   enhance the security posture of NCD.\n\n       (SBU) The key software security requirements identified and to be addressed in the redesign\n   effort included the following:\n(b) (5)\n\n\n\n\n                                            33\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                    SENSITIVE BUT UNCLASSIFIED\n\n                                                                              (SBU) Appendix D\n\n                                                 United States Department of State\n\n                                                  Washing/on. D. C.   20520\n\n                                                  August 22, 2012\n\n\n\n\nMEMORANDUM\n\n\nTO :        OIG - Ms. Evelyn Klemstine\n            OIG - Mr. Jerry Rainwaters\n\nFROM:       lRM/BMP/SPO/SPD - Robert Glunt ~\n\nSUBJECT: OIG Audit of Department of State Access Controls for Major\n         Applications, AUD/IT-12-44, August 2012\n\n\nThe purpose of this memorandum is to provide a response to the subject audit.\nlRM comments on recommendations 1, 2, 3, 4, 7, 9 and 10 are attached.\n\nIRM concurs with most, but not all, OIG recommendations associated with the\nsubject audit. Recommendation 4 references both NCD and SMART-C, so lRM\'s\nresponse has been split to address NCD and SMART-C, separately.\n\n\n\n\n                                34\n                    SENSITIVE BUT UNCLASSIFIED\n\x0c                    SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n     Audit of the Department of State Access Controls for Major Applications\n                                 AUDIlT-12/44\n                                  August 2012\n\n\nRecommendation 1: OIG recommends that the Chief Information Officer acquire\nthe technical resources and implement the enhancements identified by the Net-\nCentric Diplomacy (NCO) team in NCD.09 .00.00 Plan of Action, dated February\n12,2012, to ensure that users do not have broader access to cables than what is\nrequired to perform their duties.\n\nIRM Response: IRM concurs with the recommendation to acquire the necessary\ntechnical resources to implement the NCD.09.00.00 Plan of Action. As of June\n11, 2012, these resources have been acquired and a full team of developers is in\nplace and actively working on the NCD.09.00.00 software release.\n\nCertain security enhancements identified in the NCD.09.00.00 Plan of Action -\nsuch as those to ensure users do not have broader access to cabIcs than required to\nperform their duties - were implemented in an incremental release to NCO\n(version 8.5 .2). This release mitigates the major risks identified in the NCO\nCertification and Authorization (C&A) process and allows IRM the authority to\ncontinue operating NCO while moving forward with NCD.09.00.00 development\nto address the remaining security enhancements and open defects. The schcduled\nrelease date of this new NCO version is January, 2013 . The original scheduled\nrelease date of NCO .09.00.00 for October 2012 was postponed to address the\nmajor risks identified during the C&A.\n\nRecommendation 2: OIG recommends that the Chief Information Officer\nestablish standard training requirements for post Classified State Messaging and\nArchive Retrieval Toolset (SMART-C) and ensure that system administrators\nreceive requ ired training before they are assigned and annually thereafter.\n\nIRM Response: IRM concurs with Recommendation 2. FSI established week-\nlong classroom and long distance system administrator training based on training\nrequiremen ts from IRM. As well, IRM has developed the draft SMART\nMessagi ng Guidebook, currently under review by IRM/BMP/GRP/GP for\npublication, which provides specific guidance on the proper handling of sensitive\n\n\n\n\n                                35\n                    SENSITIVE BUT UNCLASSIFIED\n\x0c                     SENSITIVE BUT UNCLASSIFIED\n\n\n\n\ncaptions and cables for translation into RBAC provisioning for each user. There is\nalso an extensive online catalog of documentation and videos for training.\n\nAdditionally IRM will restate its expectation that all system administrators take\nFS l\'s system administrator training and annually re-familiarize themselves with the\nmaterial.\n\nRecommendation 3: OIG recommends that the Chief Information Officer\nimplement logical access controls to ensure that system administrators do not have\nthe ability to read information within sensitive cables that they do not need to\nperform their adm inistrative duties.\n\nIRM Response: IRM docs not concur with Recommendation 3. System\nadmin istrators have access to all incoming and outgoing messages, the former to\nredirect dissemination if required, the latter to ensure compliance with State\nDepartment standards for formatting and application of metadata (e.g., captions).\nBecause SMART standardizes formatting and metadata, there are fewer messages\nthat require administrator access. Nonetheless, to ensure the timely delivery of\ntraffic in the case of user or system error, there is no class of message to which an\nadministrator can be logically denied access. SMART logs provide a record of\nmessage access through dissemination and search by all employees, including\nsystem administrators. Additionally, administrators at a post can only view and\naccess incoming and outgoing traffic at assigned posts, they do not have access\noutside their post unless specifically granted. A post user can see another post\' s\ncables only if the SMART administrator at the original post grants them access.\n\nDue to the critical mission functions of Embassies abroad, and the impact upon\nsafety issues, Foreign Service Information Technology personnel arc required to\nhave full administrative access to all systems. In the event of local crisis such as\ncivil disorder, each Foreign Service IT officer must be able to perform each other\' s\ntechnical duties.\n\nThe same principle applies domestically with respect to core functions of IRM,\nsuch as SMART. Unrestricted administrative access to the SMART database\nensures each administrator can respond in an immediate manner to troubleshoot\nissues related to this core function upon which key Department decision makers\nare dependent to perform the Depanment\'s mission critical functions as identified\nby the Office of Emergency Management.\n\n\n\n\n                                 36\n                     SENSITIVE BUT UNCLASSIFIED\n\x0c                       SENSITIVE BUT UNCLASSIFIED\n\n\n\n\nRecommendation 4: OIG recommends that the Chief Information Officer equip\nthe Net-Centric Diplomacy (NCO) and Classified State Messaging and Archive\nRetrieval Toolset (SMART-C) applications with audit trail capabilities to log user\nand administrator activity.\n\nIRM Response: IRM concurs with recommendation 4 in reference to Net Centric\nDiplomacy (NCO). As of May 3J , an audit trail capability has been implemented\nin NCO. With this capability, NCO administrators arc now auditing the fo llowing\nuser activities: Login, Logout, File Opened, Read Cable, Print Cable, Search\nQuery, File Modificd, File Deleted, and File Download. NCO system\nadministrators receive an Email alert whenever any of these auditable events\nexceed a pre-defined limit. If, after analyzing the alerts, any suspicious activity is\nidentified, users arc prohibited from performing these operations for an\nadm inistrator-determined period of time. This allows time to investigate the\nactivity .\n\nAs part of the daily administration of NCO, two system administrators revicw the\naud it logs for each NCO server. They are monitoring the above activities along\nwith indications of unauthorized changes to the configuration settings and attempts\nto execute unauthorized software within the NCD system. The audit logs arc\nbacked up daily and retained for 6 months in accordance with N1ST requirements\nand State Department IT security policy.\n\nIRM concurs with Recommendation 4 in reference to Classified State Messaging\nand Archive Retrieval Toolset (SMART-C) . The audit log contains ALL\nadmi nistrative changes to SMART. Both MSMC and post adm inistrators have\naccess to the audit log from the main SMART page. The SMART audit log\nprovides a record of actions performed on the SMART database and allows\nadministrators (both MSMC and Post) to find actions based on when they\noccurred, who performed them, the users affected by them, text within the actions,\nand other cri teria.\n\nIRM, in consultation with DS, will continue to seek commercial or custom\nsolution , but to date has been unable to find a COTS product that will validly\ndetect anomalies. Commercial systems look for departures from routine practices,\ne .g., a credit card user begins charging high-value items in a different country.\nHowever patterns of standard usage among State Department SMART users are so\ndifferent that we do not have a norm from which variance might trigger an alert.\n\n\n\n\n                                   37\n                       SENSITIVE BUT UNCLASSIFIED\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n    Recommendation 7: 010 recommends that the Chief Information Officer (ClO)\n    require system owners to annually revalidate user and administrator accounts,\n    remove those accounts that no longer require access, and certify to the CIO that\n    revalidation has been completed .\n\n    IRM Response: IRM substantively agrees with the recommendation. System\n    owners will rece ive dear guidance to annually revalidate user and administrator\n    accounts and remove those accounts that no longer require access. Additionally,\n    this guidance will be incorporated into role-based training for personnel with\n    elevated privileges. IRM will continuously monitor stale user accounts to ensure\n    that staic user account scoring in iPost occurs at each site level. This will allow\n    site level owners to address stale accounts in their organizational units (OU). This\n    change in iPost will occUr in October of this calendar year.\n\n    Recommendation 9: 010 recommends that the Chief Information Officer institute\n    a formal process to require system owners to certify that the Information Systems\n    Security Officer has reviewed audit logs monthly in order to detect and resolve\n    potential security incidents in a timely manner.\n\n    IRM Response : IRM agrees with the recommendation . The ISSO and key system\n    administrators of owning sites will be required to review audit logs monthly in\n    order to detect and resolve potential security incidents in a timely manner.\n    Additionally, this guidance will be incorporated into role-based training for\n    personnel with elevated privileges.\n(b) (5)\n\n\n\n\n                                     38\n                         SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n\n                                                                    SeJ:.lerrlbet 10,2012\n\n\nTO:            OIG     Ms, Evr,]vn K!e:mstille\n                       Mr. Jerry Raillwaters\n\n                     iBlvlP.IS(lISPD   ~   Robert\n\n                                                             Co:ntrc\'\\s for\n\n\n\nAttached        find IRM\' 5 updated response to OIG Recommendation 10, cleared by the\nBureaus of 1)11,I",natk S!eeutiryand Con,ular Atrairs,\n\nlRM\'s res.pol1se to recDmmendadon 3, sent to the OlG on        was cleared    the BUTeau of\nDilliOlnal.ic Secl.rir\'t, without\n\n\n\n\n(b) (5)\n\n\n\n\n                                                 39\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                     SENSITIVE BUT UNCLASSIFIED\n\n                                                                            (SBU) Appendix E\n\n\n\n                                                   United States Department of State\n\n                                                   Washingtml, D.C. 20520\n\n                                                   www.srate.gov\n\n\n                                                       SEP 07 lOll\nSENSITIVE BUT UNCLASSIFIED\n(UNCLASSIFIED when separated from attachment)\n\nINFORMATION MEMO TO OIG - DEPUTY INSPECTOR GENERAL\nHAROLD W. GEISEL              A....\nFROM:       OS - Eric J. Bosw~t::::V\n\nSUBJECT: Compliance Response and OS Comments - Audit of Department of\n         State Access Controls for Major Applications, Report AVO/IT -12-44,\n         August 2012\n\n\n      (U) Attached is the Bureau of Diplomatic Security\' s comments and follow-\nup response to Recommendation 5 of the subject report.\n\nAttachment:\n      As stated.\n\n\n\n\n                    SENSITIVE BUT UNCLASSIFIED\n               (UNCLASSIFIED when separated from attachment)\n\n\n\n\n                                 40\n                     SENSITIVE BUT UNCLASSIFIED\n\x0c                     SENSITIVE BUT UNCLASSIFIED\n\n\n\n                      SENSITIVE BUT UNCLASSIFIED\n\n\n             DS Comments to U.S. Department of State and the\n                 Broadcasting Board of Governors Office\n                    Inspector General Office of Audits\n    Audit of Department of State Access Controls for Major Applications\n                   Report # AUDfIT-12-44, August 2012\n\nCom men ts & Corrections\n\n  1. (SBU) OIG Report: Table 2, center column, titled "Original and Final\n     Samples of the Department\'s Major Applications," the entry for\n     Investigative Management System (lMS-C) reads: (Page 22)\n\n     "IMS\xc2\xb7C captures all classified case-related information; automates,\n     integrates, and improves OIG \'s investigative business processes; establishes\n     a central index encompassing all DS classified investigations; and provides\n     investigative and/or intelligence analysis and analytical"\n\n     DS Comment (09/06/2012): Please revise the entry to read:\n\n     "IMS\xc2\xb7C captures all classified case-related information; automates,\n     integrates, and improves DS\'s investigative business processes; establishes\n     a central index encompassing all DS classified investigations; and provides\n     investigative and/or intelligence analysis and analytical "\n\n\n\n\n                     SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                                 41\n                     SENSITIVE BUT UNCLASSIFIED\n\x0c                SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                 SENSITIVE BUT UNCLASSIFIED\n\n          Audit of Department of State Access Controls for\n                        Major Applications\n               Report # AUD/IT-12-44, August 2012\n(b) (5)\n\n\n\n\n                SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                            42\n                SENSITIVE BUT UNCLASSIFIED\n\x0c                      SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                                                               (SBU) Appendix F\n\n\n\n                                                          Uoited States Department of State\n\n                                                         Assistant Secretary olState\n                                                         lor Consular Affa irs\n\n                                                          Washington, D.C. 20520\n\nUNCLASSIFIED                                              August 16,2012\n\nMEMORANDUM\n\nTO:          OIG - Harold W. Geisel, Acting\n\nFROM:        CA - James D. Pettit, Actin~\n\nSUBJECT: Compliance Response to OIG Inspection on Audit of Department of\n         State Access Controls for Major Applications AUDIIT- 12-44\n\n      Thank you for the opportunity to submit a compliance response for Audit of\nDepartment of State Access Controls for Major Applications. CA is an\naction/coordinating entity on Recommendation 8. We have reviewed the\nrecommendation in the report and have the following update:\n\nRecommendation 8: The OIG recommends that the Bureau of Consular Affairs\n(CA), Office of Consular Systems and Technology, provide additional guidance to\nkey users of CA \'s applications at post to ensure that consular managers and other\nkey users of those applications understand administrative features related to\ncreating and managing user accounts for consular applications. (Action: CA)\n\nCA Response August 16,2012: CA agrees with the recommendation. CA\'s Office\nof Consular Systems and Technology and Office of the Executive Director are\nworking to develop standard guidance for consular managers and key application\nusers to safeguard the integrity and accountability of consular processes. CA has\nlooked in to consolidating existing user roles, and is developing guidance that will\noutline clear and consistant instructions for each role.\n\nCA will establish consistent procedures for regularly reviewing, validating, and\ndecommissioning user accounts, as well as adding, deleting, and modifying user\nroles to ensure all users have appropriate access based on clearance level,\ncitizenship status, organization, and need to know.\n\n\n\n\n                                UNCLASSIFIED\n\n\n\n\n                                  43\n                      SENSITIVE BUT UNCLASSIFIED\n\x0c                  SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                        (SBU) Appendix G\n\n                                                       United States Department of Sta\n\n                                                       Washington, D.C. 205]0\n\n\n\n\nMEMORANDUM\n\nTO:          IG - Mr. Harold W. Geisel, Acting\n\nFROM:        DGHR - Linda    ThOmaS-Greenfield ~\nSUBJECT: Draft Report - Audit of Department of State Access Controls\n         for Major Applications\n\n\nThank you for the opportunity to provide comment regarding the\nabove-named OIG audit report draft. We would like to take this\nopportunity to respond to Recommendation 6.\n\nRecommendation 6: OIG recommends that the Bureau of Human\nResources institute a formal process to notify system owners on a monthly\nbasis of employee departures to ensure the timely removal of accounts of\ndeparting or transferring employees.\n\nDGHR Response:\nSince 2010, HRlEX, through coordination with the office of the Managing\nDirector ofCGFS/DCFO (at that time RM/DCFO), has been submitting a\nmonthly Separations Report to all system owners for appropriate action.\nDCFO regularly provides HRlEX with updates to the system owner\ndistribution list. This list includes designated points of contact as\ndetermined by System and Business Managers throughout the Department.\n\nAt the time of origin, the Report was based upon the effective Date of\nSeparation as recorded in the Global Employment Management System,\nGEMS. Due to the appearance of a gap in the data when individual actions\nwere not processed in a timely manner by bureaus, HR/EX revised the report\nlogic so that, since January 2012, it has been based upon the processed date.\nThe report, of course, continues to show the effective date so that system\nowners can take proper action.\n\n\n\n\n                              44\n                  SENSITIVE BUT UNCLASSIFIED\n\x0c                   SENSITIVE BUT UNCLASSIFIED\n\n\n\n\nDue to the fact that the requested HR report is in place and is distributed to\nsystem owners on a monthly basis, DGHR respectfully requests that this\nrecommendation be removed or closed.\n\n\n\n\n                               45\n                   SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\n(U) Major Contributors to This Report\n\n(U) Jerry Rainwaters, Director\nDivision of Information Technology\nOffice of Audits\n\n(U) Isaac Apea, Audit Manager\nDivision of Information Technology\nOffice of Audits\n\n(U) Steve Matthews, Technical Lead/Audit Manager\nDivision of Information Technology\nOffice of Audits\n\n(U) Oludayo Onafowokan, Senior IT Auditor\nDivision of Information Technology\nOffice of Audits\n\n(U) Jamie Horvath, Senior IT Auditor\nDivision of Information Technology\nOffice of Audits\n\n(U) Ernie Arciello, Statistician\nDivision of Audit Operations\nOffice of Audits\n\n(U) Audrey Urbanczyk, Writer-Editor\nDivision of Audit Operations\nOffice of Audits\n\n\n\n\n                                          46\n                              SENSITIVE BUT UNCLASSIFIED\n\x0cFRAUD, WASTE, ABUSE, OR MISMANAGEMENT\n                 of Federal programs\n            and resources hurts everyone.\n\n\n\n         Call the Office of Inspector General\n                      HOTLINE\n                     202/647-3320\n                  or 1-800-409-9926\n        to report illegal or wasteful activities.\n\n\n               You may also write to\n             Office of Inspector General\n              U.S. Department of State\n               Post Office Box 9778\n                Arlington, VA 22219\n\n       Please visit our Web site at oig.state.gov\n\n           Cables to the Inspector General\n          should be slugged \xe2\x80\x9cOIG Channel\xe2\x80\x9d\n              to ensure confidentiality.\n\x0cSENSITIVE BUT UNCLASSIFIED\n\n\n\n\nSENSITIVE BUT UNCLASSIFIED\n\x0c'